It’s a pointless parlour game, but what among all the work of UK private security would you rank as most important? Mark Rowe asks, to introduce a little-considered field of business security: protection for start-ups.
Is it most important in a hospital – if it fails, a baby might go missing? Or a warehouse, where a single pallet might hold consumer goods worth six figures? Or critical national infrastructure, such as an airport, port or water company, where if (as featured in the February edition of Professional Security Magazine) the supply were to fail, people have to wash with bottled water? At least arguably, more important than any, is a start-up of a handful of people if among them is the next potential Steve Jobs; developing the 2030s’ equivalent of the iPhone; working in an access-controlled lab on a university campus, or in a business park outside Cambridge, or in some ‘shared workspace’ in some university town.
Those handful have the example of Apple, and all the other tech giants; because they all had to start somehow. Jeff Bezos famously began Amazon as a home business. A start-up has to grow before it can afford to hire a security specialist (when staff numbers reach 50?). As an aside, the young, bright, ambitious security manager who’s developed themselves well enough to wonder how to progress could have a varied, stimulating and lucrative time if they got into the right start-up as their first head of security.
I recall before covid on a visit to the Science Museum in South Kensington in London, seeing the first Apple computer, dating from the late 1970s; largely made of wood. Start-ups have examples; and ambition, to be the next Apple, or (maybe a more realisable aim) to get bought by a big tech firm. In other words, the intellectual property (IP), typically in STEM subjects (science-technology-engineering-mathematics) is all; and yet those handful of people have no-one with a job title of protecting it?!
Hence the UK official National Protective Security Authority’s Trusted Research arm of their work, to mitigate the risk to IP, in the real world and (with the National Cyber Security Centre, who work with university chief information security officers, CISOs) online. It’s easy to assume that the risk is espionage (physical and cyber). And indeed mitigations will cover espionage: do the researchers shut the door behind them, and do they have a privacy screen on their laptop, when they pop out to the campus coffee shop? Do they have security blinds on the window (and, more’s the point, lower them?). Do they have a policy about visitors, and the wearing of lanyards with ID? In the workplace or in the most sensitive areas, do phones have to go in lockers? If staff are travelling, do they have (and more’s the point, take!) advice about personal safety. And what if the ones issuing the invitation have asked staff to bring their research with them?
Risks can be legal; as well as illegal espionage. Universities seeking to spin out their research commercially don’t want reputational risk, such as a link to the Chinese military, or some other body that students might protest about, uncovered (which a web search might reveal about a foreign PhD student that a visa is offered to). The venture capital offered as investment – where’s it from? Might those ultimately behind the capital seek to reverse-engineer the IP?
Also to consider is that mitigation has to come before it’s too late; because of the speed of development. Recall the unnerving comment from the talk about generative artificial intelligence by James Mortlock at the Association of Security Consultants’ seminar in London in February, that some AI (and ChatGPT was only released in 2022) is ‘ancient history’.
While the stakes are high, and the research could be national-security sensitive, the NPSA has short videos under ‘Trusted Research’ on Youtube. Like all their public-facing products, the content is excellent in style and content, pointing out to researchers that not being aware of the risks could have ‘severe consequences’ for their career, besides their research being misused (as a journalist covering private security for four decades, it’s piquant to see on one video, a start-up worker being door-stepped by investigative journalists).
While start-ups may not be the typical milieu of a security manager – as the NPSA videos show, the staffers are young, and casually dressed – the NPSA’s Trusted Research material online is of use to heads of security beyond the university research and start-up community: for example, about basic security when in co-working spaces, and when travelling overseas. Visit https://www.npsa.gov.uk/specialised-guidance/trusted-research.
